| ID | Name |
|---|---|
| T1213.001 | Confluence |
| T1213.002 | Sharepoint |
| T1213.003 | Code Repositories |
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories. |
| M1018 | User Account Management |
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
| M1017 | User Training |
Develop and publish policies that define acceptable information to be stored in Confluence repositories. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0028 | Logon Session | Logon Session Creation |
Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. [1] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.